Network Security v1.0 - Module 3 ES

Module 3: Mitigating Threats
Instructor Materials
Networking Security v1.0

(NETSEC)
Instructor Materials – Module 3 Planning Guide
This PowerPoint deck is divided in two parts:

• Instructor Planning Guide
• Information to help you become familiar with the module
• Teaching aids
• Instructor Class Presentation
• Optional slides that you can use in the classroom
• Begins on slide # 10
Note: Remove the Planning Guide from this presentation before sharing with anyone.
For additional help and resources go to the Instructor Home Page and Course
Resources for this course. You also can visit the professional development site on
netacad.com, the official Cisco Networking Academy Facebook page, or Instructor
Only FB group.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Check Your Understanding
• Check Your Understanding activities are designed to let students quickly determine if they
understand the content and can proceed, or if they need to review.
• Check Your Understanding activities do not affect student grades.
• There are no separate slides for these activities in the PPT. They are listed in the notes area
of the slide that appears before these activities.
Module 3: Activities
What activities are associated with this module?
Page # Activity Type Activity Name Optional?
3.3.4 Video Cisco SecureX Demonstration Recommended
3.5.5 Check your Understanding Identify Characteristics of the NFP framework Recommended
3.6.2 Module Quiz Mitigating Threats Recommended
Module 3: Best Practices
Prior to teaching Module 3, the instructor should:

• Review the activities and assessments for this module.
• Try to include as many questions as possible to keep students engaged during
classroom presentation.
Topic 3.1
• Ask the class:
• How do network security professionals stay up to date on threats?
• How do people prepare for a career in network security? (certifications should be a focus)
Topic 3.2
• Ask the class:
• Ask the students if they have ever had to sign a network acceptable use agreement. What
did the agreement specify?
Module 3: Best Practices (Cont.)
Topic 3.3
• Ask the class:
• How someone be an "ethical hacker?"
• Optionally, near the end of the module, have students search for and investigate the
Kali Virtual Machine. What types of tools are included in Kali?
Topic 3.4
• Ask the class:
• Have any of your students been the victim of or know a victim of a malware
attack? What did the malware do to the infected system?
• Have your students choose one of the attacks discussed in this module. Students can
research mitigation techniques for the chosen attack. Ask them to find three products
or approaches to mitigation the attack.
Module 3: Best Practices (Cont.)
Topic 3.5
• Ask the class:
• What is the value of dividing the functions of network device into planes?
Module 3: Mitigating
Threats
Networking Security v1.0

(NETSEC)
Module Objectives
Module Title: Mitigating Threats
Module Objective: Explain tools and procedures to mitigate the effects of malware and common network
attacks.
Topic Title Topic Objective
Defending the Network Describe methods and resources to protect the network.
Network Security Policies Explain several types of network security policies.
Security Tools, Platforms, and Services Explain the purpose of security platforms.
Mitigating Common Network Attacks Describe the techniques used to mitigate common network attacks.
Cisco Network Foundation Protection Explain how to secure the three functional areas of Cisco routers and switches.
Framework
3.1 Defending the Network
Defending the Network
Network Security Professionals
Network security professionals are responsible for maintaining data assurance for an organization
and ensuring the integrity and confidentiality of information.
Security specialist job roles within an enterprise include Chief Information Officer (CIO), Chief
Information Security Officer (CISO), Security Operations (SecOps) Manager, Chief Security Officer
(CSO), Security Manager, and Network Security Engineer. Regardless of job titles, network security
professionals must always stay one step ahead of the hackers:
• They must constantly upgrade their skill set to keep abreast of the latest threats.
• They must attend training and workshops.
• They must subscribe to real-time feeds regarding threats.
• They must peruse security websites daily.
• They must maintain familiarity with network security organizations. These organizations often
have the latest information on threats and vulnerabilities.
Network Intelligence Communities
Organization Description
SANS SysAdmin, Audit, Network, Security (SANS) Institute resources are
largely free upon request and include:
• The Internet Storm Center - the popular internet early warning
system
• NewsBites, the weekly digest of news articles about computer
security.
• @RISK, the weekly digest of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
• Flash security alerts
• Reading Room - more than 1,200 award-winning, original research
papers.
• SANS also develops security courses.
Mitre The Mitre Corporation maintains a list of common vulnerabilities and

exposures (CVE) used by prominent security organizations.
Network Intelligence Communities (Cont.)
Organization Description
FIRST Forum of Incident Response and Security Teams (FIRST) is a security
organization that brings together a variety of computer security
incident response teams from government, commercial, and
educational organizations to foster cooperation and coordination in
information sharing, incident prevention and rapid reaction.
SecurityNewsWire A security news portal that aggregates the latest breaking news
pertaining to alerts, exploits, and vulnerabilities.
(ISC)2 International Information Systems Security Certification Consortium
(ISC2) provides vendor neutral education products and career services
to more than 75,000+ industry professionals in more than 135
countries.
CIS The Center for Internet Security (CIS) is a focal point for cyber threat
prevention, protection, response, and recovery for state, local, tribal,
and territorial (SLTT) governments through the Multi-State Information
Sharing and Analysis Center (MS-ISAC). The MS-ISAC offers 24x7 cyber
threat warnings and advisories, vulnerability identification, and
mitigation and incident response.
Network Security Certifications
Certifications for network security professionals are offered by the following organizations:
• Global Information Assurance Certification (GIAC)
• International Information System Security Certification Consortium (ISC) 2
• Information Systems Audit and Control Association (ISACA)
• International Council of E-Commerce Consultants (EC-Council)
• Certified Wireless Network Professionals (CWNP)
Cisco has replaced the Cisco Certified Network Associate Security (210-260 IINS) certification with a new CCNP
Security certification. CCNP Security consists of the CCNP Core exam combined with a Cisco Certified
Specialist security concentration exam:
• 300-710 SNCF - Network Security Firepower
• 300-715 SISE - Implementing and Configuring Cisco Identity Services Engine
• 300-720 SESA - Securing Email with Cisco Email Security Appliance
• 300-725 SWSA - Securing the Web with Cisco Web Security Appliance
• 300-730 SVPN - Implementing Secure Solutions with Virtual Private Networks
• 300-735 SAUTO - Automating and Programming Cisco Security Solutions
Communications Security: CIA
Information security deals with protecting information
and information systems from unauthorized access,
use, disclosure, disruption, modification, or
destruction. The CIA Triad serves as a conceptual
foundation for the field.
The CIA Triad consists of three components of

information security:
• Confidentiality - Only authorized individuals,
entities, or processes can access sensitive
information.
• Integrity - This refers to the protection of data from
unauthorized alteration.
• Availability - Authorized users must have
uninterrupted access to the network resources and
data that they require.
3.2 Network Security Policies
Network Security Policies
Network Security Domains
There are 14 network security domains specified by the International Organization for
Standardization (ISO)/International Electrotechnical Commission (IEC).
Network Security Domain Description
Information Security Policies This annex is designed to ensure that security policies are created, reviewed, and
maintained.
Organization of Information Security This is the governance model set out by an organization for information security. It
assigns responsibilities for information security tasks within in organization.
Human Resources Security This addresses security responsibilities relating to employees joining, moving within,
and leaving an organization.
Asset Management This concerns the way that organizations create an inventory of and classification
scheme for information assets.
Access Control This describes the restriction of access rights to networks, systems, applications,
functions, and data.
Cryptography This concerns data encryption and the management of sensitive information to protect
confidentiality, integrity, and availability of data.
Physical and Environmental Security This describes the protection of the physical computer facilities and equipment within
an organization.
Network Security Domains (Cont.)
Operations Security This describes the management of technical security controls in
systems and networks including malware defenses, data backup,
logging and monitoring, vulnerability management, and audit
considerations. This domain is also concerned with the integrity of
software that is used in business operations.
Communications Security This concerns the security of data as it is communicated on networks,
both within an organization or between and organization and third
parties such as customers or suppliers.
System Acquisition, Development, and Maintenance This ensures that information security remains a central concern in an
organization’s processes across the entire lifecycle, in both private and
public networks.
Supplier Relationships This concerns the specification of contractual agreements that protect
an organization’s information and technology assets that are accessible
by third parties that provide supplies and services to the organization.
Information Security Incident Management This describes how to anticipate and respond to information security
breaches.
Network Security Domains (Cont.)
Business Continuity Management This describes the protection, maintenance, and recovery of business-
critical processes and systems.
Compliance This describes the process of ensuring conformance with information
security policies, standards, and regulations.
Business Policies
Business policies are the guidelines that are developed by an organization to govern its actions. The
policies define standards of correct behavior for the business and its employees. In networking, policies
define the activities that are allowed on the network. This sets a baseline of acceptable use. If behavior that
violates business policy is detected on the network, it is possible that a security breach has occurred.
Policy Description
Company policies • These policies establish the rules of conduct and the responsibilities of both
employees and employers.
• Policies protect the rights of workers as well as the business interests of
employers.
• Depending on the needs of the organization, various policies and procedures
establish rules regarding employee conduct, attendance, dress code, privacy
and other areas related to the terms and conditions of employment.
Employee policies • These policies are created and maintained by human resources staff to
identify employee salary, pay schedule, employee benefits, work schedule,
vacations, and more.
• They are often provided to new employees to review and sign.
Business Policies (Cont.)
Policy Description
Security policies • These policies identify a set of security objectives for a company,
define the rules of behavior for users and administrators, and
specify system requirements.
• These objectives, rules, and requirements collectively ensure the
security of a network and the computer systems in an organization.
• Much like a continuity plan, a security policy is a constantly evolving
document based on changes in the threat landscape, vulnerabilities,
and business and employee requirements.
Security Policy
Security policies are used to inform users, staff, and managers of an organization’s requirements for
protecting technology and information assets. A security policy also specifies the mechanisms that are
needed to meet security requirements and provides a baseline from which to acquire, configure, and audit
computer systems and networks for compliance. Policies that may be included in a security policy are:
Policy Description
Identification and authentication policy Specifies authorized persons that can have access to network
resources and identity verification procedures.
Password policies Ensures passwords meet minimum requirements and are changed
regularly.
Acceptable Use Policy (AUP) Identifies network applications and uses that are acceptable to the
organization. It may also identify ramifications if this policy is violated.
Remote access policy Identifies how remote users can access a network and what is
accessible via remote connectivity.
Network maintenance policy Specifies network device operating systems and end user application
update procedures.
Incident handling procedures Describes how security incidents are handled.
BYOD Policies
Many organizations must now also support Bring Your Own Device (BYOD). This enables employees to use
their own mobile devices to access company systems, software, networks, or information. This can bring an
increased information security risk because BYOD can lead to data breaches and greater liability for the
organization. BYOD security best practices to help mitigate BYOD vulnerabilities are:
Best Practice Description

Password protected access Use unique passwords for each device and account.
Manually control wireless connectivity Turn off Wi-Fi and Bluetooth connectivity when not in use. Connect only to trusted
networks.
Keep updated Always keep the device OS and other software updated. Updated software often
contains security patches to mitigate against the latest threats or exploits.
Back up data Enable backup of the device in case it is lost or stolen.
Enable “Find my Device” Subscribe to a device locator service with remote wipe feature.
Provide antivirus software Provide antivirus software for approved BYOD devices.
Use Mobile Device Management (MDM) software MDM software enables IT teams to implement security settings and software
configurations on all devices that connect to company networks.
Regulatory and Standards Compliance
There are also external regulations regarding network security. Network security professionals must
be familiar with the laws and codes of ethics that are binding on Information Systems Security
(INFOSEC) professionals.
Many organizations are mandated to develop and implement security policies. Compliance
regulations define what organizations are responsible for providing and the liability if they fail to
comply. The compliance regulations that an organization is obligated to follow depend on the type of
organization and the data that the organization handles.
3.3 Security Tools, Platforms,
and Services
Security Tools, Platforms, and Services
The Security Onion and The Security Artichoke
A common analogy used to describe a

defense-in-depth approach is called
“the security onion.” A threat actor
would have to peel away at a network’s
defenses layer by layer in a manner
similar to peeling an onion. Only after
penetrating each layer would the threat
actor reach the target data or system.
Note: The security onion described on

this page is a way of visualizing
defense-in-depth. This is not to be
confused with the Security Onion suite
of network security tools.
The Security Onion and The Security Artichoke (Cont.)
The changing landscape of networking,

such as the evolution of borderless
networks, has changed this analogy to
the “security artichoke”, which benefits
threat actors because they no longer
have to peel away each layer. They only
need to remove certain “artichoke
leaves.” The threat actor peels away the
security armor along the perimeter to get
to the “heart” of the enterprise.
Security Testing Tools
Ethical hacking involves using different types of tools to test the network and end devices to validate the
security of the network. Penetration testing uses hacker techniques and tools to evaluate the strength of
network security measures. Cybersecurity personnel must also know how to use these tools when performing
network penetration tests.
Categories of Tools Description
password crackers Passwords are the most vulnerable security threat. Password cracking tools are often
referred to as password recovery tools and can be used to crack or recover the password.
This is accomplished either by removing the original password, after bypassing the data
encryption, or by outright discovery of the password. Password crackers repeatedly make
guesses in order to crack the password and access the system. Examples of password
cracking tools include John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack,
and Medusa.
wireless hacking tools Wireless networks are more susceptible to network security threats. Wireless hacking tools
are used to intentionally hack into a wireless network to detect security vulnerabilities.
Examples of wireless hacking tools include Aircrack-ng, Kismet, InSSIDer, KisMAC,
Firesheep, and NetStumbler.
Security Testing Tools (Cont.)
network scanning and hacking tools Network scanning tools are used to probe network devices, servers, and hosts for open TCP or
UDP ports. Examples of scanning tools include Nmap, SuperScan, Angry IP Scanner, and
NetScanTools.
packet crafting tools Packet crafting tools are used to probe and test a firewall’s robustness using specially crafted
forged packets. Examples of such tools include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and
Nemesis.
packet sniffers Packet sniffer tools are used to capture and analyze packets within traditional Ethernet LANs or
WLANs. Tools include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy,
and SSLstrip.
rootkit detectors A rootkit detector is a directory and file integrity checker used by white hats to detect installed
root kits. Example tools include AIDE, Netfilter, and PF: OpenBSD Packet Filter.
fuzzers to search vulnerabilities Fuzzers are tools used by threat actors when attempting to discover a computer system’s security
vulnerabilities. Examples of fuzzers include Skipfish, Wapiti, and W3af.
forensic tools White hat hackers use forensic tools to sniff out any trace of evidence existing in a particular
computer system. Example of tools include Sleuth Kit, Helix, Maltego, and Encase.
Security Testing Tools (Cont.)
debuggers Debugger tools are used by black hats to reverse engineer binary files when writing exploits. They are
also used by white hats when analyzing malware. Debugging tools include GDB, WinDbg, IDA Pro, and
Immunity Debugger.
hacking operating systems Hacking operating systems are specially designed operating systems preloaded with tools and
technologies optimized for hacking. Examples of specially designed hacking operating systems include Kali
Linux, SELinux, Knoppix, Parrot OS, and BackBox Linux.
encryption tools These tools safeguard the contents of an organization’s data when it is stored or transmitted. Encryption
tools use algorithm schemes to encode the data to prevent unauthorized access to the data. Examples of
these tools include VeraCrypt, CipherShed, Open SSH, OpenSSL, OpenVPN, and Stunnel.
vulnerability exploitation tools These tools identify whether a remote host is vulnerable to a security attack. Examples of vulnerability
exploitation tools include Metasploit, Core Impact, Sqlmap, Social Engineer Tool Kit, and Netsparker.
vulnerability scanners These tools scan a network or system to identify open ports. They can also be used to scan for known
vulnerabilities and scan VMs, BYOD devices, and client databases. Examples of these tools include Nipper,
Securia PSI, Core Impact, Nessus, SAINT, and Open VAS.
Data Security Platforms
Data Security Platforms (DSP) are an integrated security solution that combines traditionally
independent tools into a suite of tools that are made to work together. Security tools that protect and
monitor networks are often made by different vendors. It can be difficult to integrate these tools in
such a way that a single view of network security can be achieved.
One such DSP is the Helix platform from FireEye.

FireEye Helix is a cloud-based security operations
platform that enables organizations to integrate many
security functionalities into a single platform. Helix
provides event management, network behavior
analytics, advanced threat detection, and incident
security orchestration, automation, and response
(SOAR) for response to threats as they are detected.
Data Security Platforms (Cont.)

Another integrated DSP is Cisco SecureX. The Cisco
Secure portfolio consists of a broad set of technologies
that function as a team - providing interoperability with
the security infrastructure, including third-party
technologies. This results in unified visibility,
automation, and stronger defenses. The Cisco SecureX
platform works with diverse products that combine to
safeguard your network, users and endpoints, cloud
edge, and applications. SecureX functionality is built in
to a large and diverse portfolio of Cisco security
products including next-generation firewalls, VPN,
network analytics, identity service engine, advanced
malware protection (AMP), and many other systems
that work to secure all aspects of a network. SecureX
also integrates a range of third-party security tools.
Video - Cisco SecureX Demonstration
Security Services
Threat intelligence and security services allow the
exchange of threat information such as vulnerabilities,
indicators of compromise (IOC), and mitigation techniques.
As threats emerge, threat intelligence services create and
distribute firewall rules and IOCs to the devices that have
subscribed to the service.
One such service is the Cisco Talos Threat Intelligence

Group. Talos is one of the largest commercial threat
intelligence teams in the world. The goal of Talos is to help
protect enterprise users, data, and infrastructure from
active adversaries. The Talos team collects information
about active, existing, and emerging threats. Talos then
provides comprehensive protection against these attacks
and malware to its subscribers.
Cisco Security products can use Talos threat intelligence

in real time to provide fast and effective security solutions.
3.4 Mitigating Common
Network Attacks
Mitigating Common Network Attacks
Constant vigilance and ongoing education are required to defend your network against attack. The
following are best practices for securing a network:
• Develop a written security policy for the company.
• Educate employees about the risks of social engineering, and develop strategies to validate
identities over the phone, via email, or in person.
• Control physical access to systems.
• Use strong passwords and change them often.
• Encrypt and password-protect sensitive data.
• Implement security hardware and software such as firewalls, IPSs, virtual private network (VPN)
devices, antivirus software, and content filtering.
• Perform backups and test the backed-up files on a regular basis.
• Shut down unnecessary services and ports.
• Keep patches up-to-date by installing them weekly or daily, if possible, to prevent buffer overflow
and privilege escalation attacks.
• Perform security audits to test the network.
Mitigating Malware
Malware, including viruses, worms, and Trojan horses, can cause serious problems on
networks and end devices. Network administrators have several means of mitigating these
attacks.
Antivirus software helps prevent hosts from getting infected and spreading malicious code.
Several companies that create antivirus software, such as Symantec, McAfee, and Trend
Micro. Antivirus products have update automation options so that new virus definitions and
new software updates can be downloaded automatically or on demand. This practice is the
most critical requirement for keeping a network free of viruses and should be formalized in a
network security policy.
These products are installed on computers and servers to detect and eliminate viruses.
However, they do not prevent viruses from entering the network. Another way to mitigate
malware threats is to prevent malware files from entering the network at all. Security devices at
the network perimeter can identify known malware files based on their indictors of
compromise. The files can be removed from the incoming data stream before they can cause
an incident. © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Mitigating Worms
Worms are more network-based than viruses. Worm mitigation requires diligence and
coordination on the part of network security professionals. The response to a worm attack can
be broken down into four phases: containment, inoculation, quarantine, and treatment.
Phase Response
1. Containment The containment phase involves limiting the spread of a worm infection to areas of the network that are already
affected. This requires compartmentalization and segmentation of the network to slow down or stop the worm
and to prevent currently infected hosts from targeting and infecting other systems. Containment requires using
both outgoing and incoming ACLs on routers and firewalls at control points within the network.
2. Inoculation The inoculation phase runs parallel to or subsequent to the containment phase. During the inoculation phase, all
uninfected systems are patched with the appropriate vendor patch. The inoculation process further deprives the
worm of available targets.
3. Quarantine The quarantine phase involves tracking down and identifying infected machines within the contained areas and
disconnecting, blocking, or removing them. This isolates these systems appropriately for the treatment phase.
4. Treatment The treatment phase involves actively disinfecting infected systems. This can involve terminating the worm
process, removing modified files or system settings that the worm introduced, and patching the vulnerability the
worm used to exploit the system. Alternatively, in more severe cases, the system may need to be reinstalled to
ensure that the worm and its by-products are removed.
Mitigating Reconnaissance Attacks
Reconnaissance attacks are typically the precursor to other attacks that are designed to gain
unauthorized access to a network or disrupt network functionality. You can detect when a
reconnaissance attack is underway by receiving notifications from preconfigured alarms. These
alarms are triggered when certain parameters are exceeded, such as the number of ICMP requests
per second. Reconnaissance attacks can be mitigated in several ways, including the following:
• Implementing authentication to ensure proper access.

• Using encryption to render packet sniffer attacks useless.
• Using anti-sniffer tools to detect packet sniffer attacks.
• Implementing a switched infrastructure.
• Using a firewall and IPS.
It is impossible to mitigate port scanning. Using an IPS and firewall can limit the information that can
be discovered with a port scanner. Ping sweeps can be stopped if ICMP echo and echo-reply are
turned off on edge routers; however, when these services are turned off, network diagnostic data is
lost.
Mitigating Access Attacks
Several techniques are available for mitigating access attacks, including strong password
security, principle of minimum trust, cryptography, and applying operating system and
application patches. A surprising number of access attacks are carried out through simple
password guessing or brute-force dictionary attacks against passwords. To defend against this,
create and enforce a strong authentication policy which includes:
• Use strong passwords - Strong passwords are at least eight characters and contain
uppercase letters, lowercase letters, numbers, and special characters.
• Disable accounts after a specified number of unsuccessful logins has occurred - This
practice helps to prevent continuous password attempts.
Use encryption for remote access to a network and routing protocol traffic to reduce the
possibility of man-in-the-middle attacks. Educate employees about the risks of social
engineering, and develop strategies to validate identities over the phone, via email, or in
person. Multifactor authentication (MFA) has become increasingly common.
Mitigating DoS Attacks
One of the first signs of a DoS attack is a large number of user complaints about
unavailable resources or unusually slow network performance. A network utilization graph
showing unusual activity could indicate a DoS attack. To minimize the number of attacks,
a network utilization software package should be running at all times.
Historically, many DoS attacks were sourced from spoofed addresses. Cisco routers and
switches support many antispoofing technologies, such as port security, Dynamic Host
Configuration Protocol (DHCP) snooping, IP Source Guard, Dynamic Address Resolution
Protocol (ARP) Inspection, and access control lists (ACLs).
3.5 Cisco Network Foundation
Protection Framework
Cisco Network Foundation Protection Framework
NFP Framework
The Cisco Network Foundation
Protection (NFP) framework provides
comprehensive guidelines for
protecting the network infrastructure.
These guidelines form the foundation
for continuous delivery of service. NFP
logically divides routers and switches
into three functional areas:
• Control plane - Responsible for
routing data correctly.
• Management plane - Responsible
for managing network elements.
• Data plane - Responsible for
forwarding data.
Securing the Control Plane
Control plane traffic consists of device-generated packets required for the operation of
the network itself. Control plane security can be implemented using the following
features:
• Routing protocol authentication - Routing protocol authentication, or neighbor
authentication, prevents a router from accepting fraudulent routing updates.
• Control Plane Policing (CoPP) - CoPP is a Cisco IOS feature that lets users control
the flow of traffic that is handled by the route processor of a network device.
• AutoSecure - This can lock down the management plane functions and the
forwarding plane services and functions of a router.
CoPP is designed to prevent unnecessary traffic from overwhelming the route processor.
The CoPP feature treats the control plane as a separate entity with its own ingress (input)
and egress (output) ports. A set of rules can be established and associated with the
ingress and egress ports of the control plane.
Securing the Management Plane
Management plane traffic is generated either by network devices or network
management stations using processes and protocols such as Telnet, SSH, and TFTP,
etc. The management plane is a very attractive target to hackers.
Management plane security can be implemented using the following features:

• Login and password policy - Restricts device accessibility.
• Present legal notification - Displays legal notices.
• Ensure the confidentiality of data - Protects locally stored sensitive data from being
viewed or copied. Uses management protocols with strong authentication to mitigate
confidentiality attacks aimed at exposing passwords and device configurations.
• Role-based access control (RBAC) - Ensures access is only granted to
authenticated users, groups, and services.
• Authorize actions - Restricts the actions and views that are permitted by any
particular user, group, or service.
• Enable management access reporting - Logs and accounts for all access.
Securing the Data Plane
Data plane traffic consists mostly of user packets being forwarded through the router. Data
plane security can be implemented using ACLs, antispoofing mechanisms, and Layer 2
security features. ACLs are used to secure the data plane in a variety of ways:
• Blocking unwanted traffic or users
• Reducing the chance of DoS
• Mitigating spoofing attacks.
• Providing bandwidth control
• Classifying traffic to protect the Management and Control planes
Cisco Catalyst switches can use integrated features to help secure the Layer 2 infrastructure.
The following Layer 2 security tools are integrated into the Cisco Catalyst switches:
• Port security
• DHCP snooping
• Dynamic ARP Inspection (DAI)
• IP Source Guard
3.6 Mitigating Threats
Summary
Mitigating Threats Summary
What Did I Learn in this Module?
• Network security professionals are responsible for maintaining data assurance for an organization
and ensuring the integrity and confidentiality of information.
• There are several network security organizations to keep you informed, including SANS, Mitre,
FIRST, SecurityNewsWire, ISC2, and CIS.
• There are 14 network security domains specified by the ISO/IEC serve as a common basis for
developing organizational security standards.
• The Security Onion and Security Artichoke provide analogies for understanding approaches to
network security.
• Penetration tools are used by security personnel to validate network security.
• Threat intelligence services, such as Cisco Talos, allow the exchange of the latest threat
information.
• Various tools, software, and services help with the mitigation of malware, reconnaissance, DoS
and address spoofing attacks.
• The Cisco Network Foundation Protection framework (CoPP) provides comprehensive guidelines
for protecting the network infrastructure by addressing security at the control plane, management
plane, and data plane (forwarding plane) of network devices.
• The following Layer 2 security tools are integrated into the Cisco Catalyst switches: port security,
DHCP snooping, DAI, and IPSG.
Mitigating Threats
New Terms and Commands
• Chief Information Officer (CIO) • security artichoke
• Chief Information Security Officer (CISO) • password crackers
• Security Operations (SecOps) Manager • packet crafting tools
• SysAdmin, Audit, Network, Security (SANS) • packet sniffers
Institute • rootkit detectors
• Mitre Corporation • hacking operating systems
• common vulnerabilities and exposures (CVE) • Data Security Platforms (DSP)
Forum of Incident Response and Security Teams • threat intelligence and security services
(FIRST) • Cisco Talos Threat Intelligence Group
• International Information Systems Security • multifactor authentication (MFA)
Certification Consortium (ISC2) • Cisco Network Foundation Protection (NFP)
• The Center for Internet Security (CIS) framework
• Global Information Assurance Certification (GIAC) • control plane
• Information Systems Audit and Control • management plane
Association (ISACA) • data plane (forwarding plane)
• The Implementing and Operating Cisco Security • Control Plane Policing (CoPP)
Core Technologies (350-701 SCOR) exam • port security
• CIA triad • DHCP snooping
• security onion • Dynamic ARP Inspection (DAI)
Mitigating Threats
New Terms and Commands (Cont.)
• IP Source Guard (IPSG)

Network Security v1.0 - Module 3 ES

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Security v1.0 - Module 3 ES

Uploaded by

Copyright:

Available Formats

Module 3: Mitigating Threats

Networking Security v1.0

This PowerPoint deck is divided in two parts:

What activities are associated with this module?

Page # Activity Type Activity Name Optional?

3.3.4 Video Cisco SecureX Demonstration Recommended

3.6.2 Module Quiz Mitigating Threats Recommended

Prior to teaching Module 3, the instructor should:

Networking Security v1.0

Mitre The Mitre Corporation maintains a list of common vulnerabilities and

The CIA Triad consists of three components of

Best Practice Description

A common analogy used to describe a

Note: The security onion described on

The changing landscape of networking,

One such DSP is the Helix platform from FireEye.

Data Security Platforms (Cont.)

One such service is the Cisco Talos Threat Intelligence

Cisco Security products can use Talos threat intelligence

• Implementing authentication to ensure proper access.

Management plane security can be implemented using the following features:

You might also like